Session ID without Hashing
In PHP 7.1, the session extension has been cleaned
up and modernized. One notable change that has potential side
effects on userland code is the generation of the session
identifier: PHP no longer hashes the generated id string. This
brought quite a substantial performance increase as the old hash
based implementation is almost three times slower.
As a side effect of this change, the following ini settings are no longer required and got removed:
session.hash_functionsession.hash_bits_per_charactersession.entropy_filesession.entropy_length
To not break the backwards compatibility with existing session handlers and storages, the length of the session id string remained the same. For stronger session id strings, the length as well as the bits used per character can be adjusted by using the following two new ini settings:
session.sid_lengthsession.sid_bits_per_character
As cryptographically stronger session ids are always a good idea,
using session.sid_length=48 and
session.sid_bits_per_character=5 is the recommended
setting. When compatibility with PHP 5 is needed, the default values
– session.sid_length=32 and
session.sid_bits_per_character=4 – should not be
changed.